var _hmt = _hmt || []; (function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?d387e539c1f2d34f09a9afbac8032280"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s); })();

Dark Reading is part of the Informa Tech Division of Informa PLC

7x彩票网appThis site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/17/2018
02:30 PM
Matt Ahrens
Matt Ahrens
Commentary
50%
50%

The Risks of Remote Desktop Access Are Far from Remote

RDP is used by fraudsters to steal and monetize data more often than you might think. But there are ways to stay safe.

No one wakes up thinking "today's the day I'm going to be hacked." Even though we've all seen big-name companies fall prey to cyberattacks, the majority of business owners don't think one will ever happen to them. They're wrong. Breaches at Target, Home Depot, and Equifax may capture all of the attention, but software commonly used by many small businesses makes them far more attractive targets to hackers.

The software? Remote Desktop. Many businesses use Remote Desktop to facilitate network access for remote employees over the Internet. But by granting such access, these businesses have made it much more likely they'll be targeted and hacked. Over a 10-year career providing incident response and forensics following data breaches, I've seen thousands of companies crippled by the exploitation of remote access points. And I've seen how quickly and effectively fraudsters leverage hijacked computers to steal and monetize data, and how they've used such access to take control of entire networks.

What Is Remote Desktop?
The Remote Desktop Protocol (also known as RDP) is used to allow remote access to a computer. After logging in, you can control that computer remotely in almost the same way you control your own computer. RDP is very easy to use and widely implemented. Remote Desktop even comes built-in to most versions of Microsoft Windows. When used within a private network, it's a very powerful business tool. Unfortunately, it's not secure enough to safely expose to the Internet.

Imagine a small (fictional) CPA firm, Joe's Taxes. Joe's Taxes has three partners and five accountants. What's the easiest way for all eight team members to access a single server with specialized accounting and tax software? You guessed it: RDP.  

With a Remote Desktop setup, Joe can access his tax server and client data from anywhere, as can his partners and employees. This is not only convenient but increases productivity in Joe's office. Joe's employees can now collaborate on projects and remotely access documents that are securely stored and backed up in the office.

What Could Go Wrong?
7x彩票网appCriminals, aware of the valuable information in the possession of businesses like Joe's, are also keen to remotely access this data. So keen that they've developed a wide array of tools to continuously look for remote access points on the Internet. Services such as Censys.io and Shodan.io, designed to map assets on the Internet, can also be used to discover potentially vulnerable targets. 

With remote access to a network, not only can criminals access sensitive information and hijack login credentials and identities, they can also use such access to deploy ransomware, such as the "SamSam" gang or Dharma ransomware. Even the access alone is worth something. Criminals routinely in criminal markets such as xDedic. Pricing is driven by where the server is located, what software it's running, and other attributes that signal its value to the criminal marketplace. You can bet that our fictional CPA firm would fetch a decent price. (See, for example, this ).

How Does This Work?
Once a firm is targeted, it's surprisingly easy to overcome the password protections in place. This is largely because there is only one factor to defeat: the password itself. In the absence of a multifactor authentication mechanism such as a text, phone call, or randomly generated token, the hacker is free to guess a user's password. With enough computing power, this is a process that can take only a few hours. Moreover, as a business adds more accounts over time, old unused accounts create an even larger surface to attack. Hackers also have access to billions of compromised credentials from past data breaches. Returning to our example, if even one of Joe's employees reused a password that was already breached, no guessing is required!

7x彩票网appIn reality, hackers have largely automated this process. Once they have a "hit," such as Joe's Taxes' server, they quickly identify all of the attributes of that server, including the fact that it has tax software installed, prior to putting it up for sale. At this point, any criminal can purchase access to Joe's server, from which they can steal information or impersonate Joe, including making fraudulent filings to the IRS.

How Widespread Is This Risk?
At Coalition, we detect Remote Desktop on the Internet in over 30% of the companies we underwrite for cyber insurance. These access points tend to be concentrated in smaller businesses, as well as those that manage IT services. At the time I wrote this, our underwriting platform had identified over 3 million IP addresses with RDP available on the Internet, 900,000 of which are located in the United States.

7x彩票网appOur fictional CPA firm is a great example of the risks of using RDP on the Internet. It is estimated that tax scams defrauded over $21 billion in 2016 alone, much of it facilitated by precisely this attack. However, CPA firms aren't alone. Any company that enables RDP access of the Internet is a target, and the consequences can be severe.

What You Can Do
The first, and most obvious, solution is to remove Remote Desktop from the Internet, even if not entirely. Access can be restricted behind a secure virtual private network or to known users using firewall rules. Alternatively, or in addition, a multifactor authentication mechanism can be implemented to augment traditional password authentication. A number of such solutions are available (some for free) that are compatible with RDP. 

Related Content:

Matt Ahrens leads the Security Team at Coalition, the leading technology-enabled cyber insurance solution, combining comprehensive insurance and free cybersecurity tools to help businesses manage and mitigate cyber-risk. Prior to Coalition, he co-founded The Crypsis Group, a ... View Full Bio
Comment  | 
Print  | 
More Insights
Webcasts
More Webcasts
White Papers
Reports
Comments
Newest First  |  Oldest First  |  Threaded View
50%
50%
Kanaiadhikary,
User Rank: Apprentice
12/31/2019 | 6:58:55 AM
Remote Desktop
Remote desktop is a rapidly growing technology today as it helps businesses to reduce costs, provide faster resolution to technical problems, convenience of providing support from anywhere etc. For better security, one can use on premise remote support solutions such as R-HUB remote support servers. It works from behind the firewall, hence giving better security. access computers.
50%
50%
AviatorBobo,
User Rank: Apprentice
6/22/2018 | 7:51:19 AM
Isnt Bandwith a factor also?
Dear Matt,

 

Thank you for a great article, with the coolest ever heading! :) My name is Mehmet, and I work at a Danish company called Secomea... We work with secure remote access for factories, and the likes... When you say that "With enough computing power, this is a process that can take only a few hours."? :) Is this really enough? I would guess that there are only so many re-tryes, before that connection is banned...? And what about the bandwith of the company that is being attacked in this way...? Isnt that a limiting factor also? :)
Time for Insider-Threat Programs to Grow Up
Robert Lemos, Contributing Writer,  1/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
7x彩票网app Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

PUBLISHED: 2020-01-06
A CWE-264 Permissions, Privileges, and Access Controls vulnerability exists in a folder within EcoStruxure Geo SCADA Expert (ClearSCADA) -with initial releases before 1 January 2019- which could cause a low privilege user to delete or modify database, setting or certificate files. Those users must h...

PUBLISHED: 2020-01-06
An Improper Authorization - CWE-285 vulnerability exists in EcoStruxure� Control Expert V14.0 and all versions of Unity Pro (previously calledEcoStruxure� Control Expert), which could allow a bypass of the authentication process between EcoStruxure Control E...

PUBLISHED: 2020-01-06
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service when writing specific physical memory blocks using Modbus TCP.

PUBLISHED: 2020-01-06
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service of the controller when reading specific memory blocks using Mod...

PUBLISHED: 2020-01-06
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service when reading data with invalid index using Modbus TCP.
66?????? 7072???? 7073???? 689????? 963???? 66????? 7073???? 7073???? 66???app 8????app